W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2021

Re: [webauthn] Device-bound key extension (#1658)

From: Taylor Trimble via GitHub <sysbot+gh@w3.org>
Date: Fri, 19 Nov 2021 01:45:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-973651381-1637286315-sysbot+gh@w3.org>
Please forgive me if this is a dumb question or I'm missing a security property here.

Can the device private key sign over just `clientDataHash` instead of `(clientDataHash || userCredentialId)`? I understand the need to "bind" the device private key to a user credential, but I was thinking the RP can just remember which user credential the device private key is associated with the first time it sees it. The fact that the device private key signs over the RP's challenge (in client data) even serves as a proof-of-possession of the private key.

I assume I'm missing something here that I can learn from. Can someone help me understand? Thank you! 😁

-- 
GitHub Notification of comment by tylrtrmbl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-973651381 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 19 November 2021 01:45:18 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC